CVE-2026-20253 just changed the security playbook.
CVSS 9.8.
Unauthenticated.
Remote.
No credentials required.
The PostgreSQL sidecar service endpoint in Splunk Enterprise has zero authentication controls.
Any network-reachable user can create or truncate arbitrary files.
Full system compromise. Zero steps needed.
WatchTowr published the PoC on June 12.
Splunk confirmed active exploitation on June 18.
CISA added it to the KEV catalog the same day.
Federal agencies have until June 21 to patch.
That is tomorrow.
1,400+ internet-exposed Splunk instances are tracked by Shadowserver.
952 in North America. 223 in Europe.
Unknown how many are vulnerable.
This is the security equivalent of the guards falling asleep.
Your SIEM is the system designed to catch attackers.
If an attacker compromises it, they can delete logs, tamper with alerts, and operate undetected across your entire environment.
The detection layer becomes the evasion layer.
Affected versions: Splunk Enterprise 10.2.0 through 10.2.3 and 10.0.0 through 10.0.6.
Disable the PostgreSQL sidecar service if you cannot patch immediately.
But know this: disabling it breaks Edge Processor, OpAmp, and SPL2 data pipelines.
Audit your Splunk deployment today.
Check your version. Check your exposure. Check your logs for indicators of compromise: path traversal sequences in PostgreSQL connection parameters, unexpected pg_dump or pg_restore execution, database dump files in unusual locations.
If you are running an affected version, you are in the blast radius.
Patch now or accept that your SOC is blind.
Enterprise AI Impact
0 Comments